[OO-4292] RestAPI: can't create new groups in a course - OpenOlat Issue Management

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 14.1.2
Fix Version/s: 14.1.4
Component/s: REST, LDAP, oAuth2, OpenID, Shibboleth Adapter
Labels:
None

Funded by:
- VCRP

Description

Creating new groups in a course with /repo/courses/{courseId}/groups results in a 401 error (not authorized). This patch fixes that:

diff --git a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
index 58623e9..4dc1509 100644
--- a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
+++ b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
@@ -51,6 +51,8 @@
 import org.olat.core.util.vfs.QuotaManager;
 import org.olat.core.util.vfs.VFSContainer;
 import org.olat.core.util.vfs.VFSManager;
+import org.olat.course.CourseFactory;
+import org.olat.course.ICourse;
 import org.olat.group.BusinessGroup;
 import org.olat.group.BusinessGroupService;
 import org.olat.group.model.SearchBusinessGroupParams;
@@ -212,7 +214,8 @@
 	@Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
 	@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
 	public Response putNewGroup(GroupVO group, @Context HttpServletRequest request) {
-		if(!RestSecurityHelper.isGroupManager(request)) {
+		ICourse icourse = CourseFactory.loadCourse(course.getResourceableId());
+		if(!RestSecurityHelper.isGroupManager(request) && !RestSecurityHelper.isOwnerGrpManager(icourse, request)) {
 			return Response.serverError().status(Status.UNAUTHORIZED).build();
 		} else if(course == null) {
 			return Response.serverError().status(Status.NOT_FOUND).build();
diff --git a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
index 8804b11..d67190c 100644
--- a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
+++ b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
@@ -79,6 +79,19 @@
 		}
 	}
 	
+	public static boolean isOwnerGrpManager(ICourse course, HttpServletRequest request) {
+		try {
+			Roles roles = getRoles(request);
+			if(roles.isAdministrator()) return true;
+			CourseGroupManager cgm = course.getCourseEnvironment().getCourseGroupManager();
+			UserRequest ureq = getUserRequest(request);
+			Identity identity = ureq.getIdentity();
+			return cgm.isIdentityCourseAdministrator(identity) || cgm.hasRight(identity, CourseRights.RIGHT_GROUPMANAGEMENT);
+		} catch (Exception e) {
+			return false;
+		}
+	}
+
 	public static boolean isAuthorGrpManager(ICourse course, HttpServletRequest request) {
 		try {
 			Roles roles = getRoles(request);

BTW: The function isAuthorGrpManager() is not used and in this context not correct because an author would get the right to create groups in any course.

Figma for Jira By 42nd

Attachments

Activity

People

Assignee:: Stéphane Rossé

Reporter:: Stephan Clemenz

Tester:: Mandy Menzel

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Oct/19 10:25 AM

Updated:: 25/Oct/19 1:22 PM

Resolved:: 14/Oct/19 9:16 PM